U.S. senators from both parties on Tuesday grilled the chairman of the Securities and Exchange Commission — the agency responsible for policing Wall Street — on its handling of a 2016 data breach that was disclosed only last week.
The hack breached the SEC's system for handling corporate filings intended for investors, known as EDGAR. That has raised concerns that the hackers may have gained advance looks at filings and engaged in insider trading.
The SEC's disclosure also followed a much larger breach at credit reporting firm Equifax that exposed sensitive personal information belonging to 143 million Americans. Lawmakers also blasted Equifax executives for their delay in disclosing the hack, even as some executives sold shares in the company. Equifax's CEO stepped down Tuesday.
"I was disturbed to learn that the SEC suffered a cyber-breach of its EDGAR system in 2016, but did not notify the public, or even all of its commissioners, until it was discovered during your recent review," Senate Banking Committee Chairman Mike Crapo, R-Idaho.
SEC Chairman Jay Clayton told the committee that the incident "concerns me deeply" and added that he has ordered an investigation by the agency's inspector general. On Monday the SEC said it had created a new cyber unit that will target market manipulation, hacking and dark-web operatives.
Clayton said he became aware of the attack in August, months after becoming chairman in May. But he couldn't say when the hack occurred or when an investigation into the breach would be completed.
He also said he couldn't guarantee "that this was the only breach that we had."
Sen. Sherrod Brown, D-Ohio, acknowledged that the breach occurred before Clayton took office. But he slammed the chairman for not revealing it more quickly.
"When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug," Brown said. "Of course this breach took place under your predecessor, but the disclosure, or lack thereof, is all yours."
Brown and other senators also expressed outrage about how Equifax handled its breach, which it didn't disclose until six weeks after discovering it.
Three Equifax executives sold shares worth a combined $1.8 million before the company revealed it had been hacked. Equifax says the executives were unaware of the breach prior to the stock sales.
Clayton refused to comment when asked if executives at Equifax engaged in insider trading when they sold their shares. He did not confirm or deny that the SEC was investigating the issue.
However, he opened the door to potentially forcing the executives to return the proceeds of the stock sales, if the company's six-week delay in disclosing the breach is found to be improper. Equifax's stock is down more than 26 percent since the company disclosed the hack after the close of trading on Wall Street on Sept. 7.
Under questioning, Clayton agreed that publicly traded companies needed to do more to disclose the risks they faced from cyberattacks and to disclose them more quickly when they occur.
He also said the agency needed more resources for data security and to combat future attacks. The SEC did not seek any increase to its budget for next year, but Clayton said that would change when it submits its budget for its 2019 fiscal year that beings in October of next year.
"We are going to need more money for IT security and technology generally and I intend to ask for it," he said.
The amount a single Wall Street bank spends on cybersecurity "dwarfs" the SEC's budget, he said.